Certificate Properties OCSP Tab

The OCSP tab is used by administrators to add Online Certificate Status Protocol (OCSP) responder URLs to issuing certification authority (CA) certificates, which are distributed by Group Policy to Active Directory domain members. This enables organizations to add OCSP responders to an existing public key infrastructure (PKI) without reissuing the CA certificate or any certificates previously issued by the CA. OCSP responder URLs provided in this way are used to verify certificate revocation status of certificates issued by the CA.

Enterprise Admins is the minimum group membership required to complete this procedure.

To add an OCSP responder URL to a CA certificate

Click Start, and then click Run. Type gpmc.msc, and click OK to open the Group Policy Management Console (GPMC).

In the console tree, expand the forest and domain containing the policy that you want to edit, and then click Group Policy Objects.

If no CA certificates are displayed, export the CA certificate from the issuing CA, and import the certificate into Intermediate Certification Authorities. See Export a Certificate.

Right-click the CA certificate, click Properties, and then click the OCSP tab.

Type an OCSP responder URL, and click Add URL.

If you want to prevent domain members from downloading CRLs from CRL distribution point locations specified in issued certificates, select the Disable Certificate Revocation List (CRL) check box.

Caution

Disabling CRLs is not recommended. OCSP takes precedence over CRLs when URLs for both are provided. However, the revocation checking process determines when downloading and caching a single CRL is more efficient than multiple OCSP requests.

Click OK to save changes.

Note

Changes in Group Policy are applied by domain members periodically based on the Group Policy refresh interval, during computer startup, and during user logon. The default refresh interval is 90 minutes. To immediately refresh Group Policy on a domain member, run the Gpupdate command.